The Information Commissioner’s Office (ICO) has ruled that voice data was collected unlawfully by Her Majesty’s Revenue and Customs (HMRC) and should be deleted.
The ICO’s investigation into HMRC’s Voice ID service was prompted by a complaint from privacy rights group Big Brother Watch over the department’s conduct. The investigation focused on the use of voice authentication for customer verification on some of HMRC’s helplines since January 2017.
HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent, the ICO found. This is a breach of the General Data Protection Regulation (GDPR).
The regulator issued a preliminary enforcement notice to HMRC on the 4th of April 2019, stating the Information Commissioner’s initial decision to compel the department to delete all biometric data held under the Voice ID system for which it does not have explicit consent.
A final enforcement notice will be issued this week, giving HMRC 28 days from that date to complete deletion of relevant records.
Steve Wood, ICO deputy commissioner, said: “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
The ICO’s investigation was carried out under the GDPR, which came into force in 2018. Under the GDPR, biometric data is considered special category information and is subject to stricter conditions.
HMRC has said it will continue to use its Voice ID service despite criticisms from the Information Commissioner’s Office (ICO) about its retention of the biometric data.
Sir Jonathan Thompson, HMRC’s permanent secretary, has written a letter to its data protection officer, Chris Franklin, saying he is satisfied it should continue to use Voice ID. It will also retain the data on 1.5 million customers from whom it has obtained specific consent since it made changes in October 2018 to comply with the GDPR.
A spokesperson for HMRC said: “We offer Voice ID as an easy way for customers to access their accounts securely by phone and have ensured it complies with GDPR consent rules since October 2018. Over 1.5 million people who have phoned HMRC since October 2018 have told us they want to continue using the service and we’re already deleting the records of those who haven’t.”